[src/trunk]: src/libexec/telnetd Buffer overflow and environment passing fixe...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c6b4c30ccfda
branches:  trunk
changeset: 499417:c6b4c30ccfda
user:      christos <christos%NetBSD.org@localhost>
date:      Sun Nov 19 20:17:39 2000 +0000

description:
Buffer overflow and environment passing fixes [originally inspired from
FreeBSD]. We really didn't need the environment fixes, but for the sake
of keeping the code as close as possible...

diffstat:

 libexec/telnetd/defs.h     |   7 ++++++-
 libexec/telnetd/sys_term.c |  32 ++++++++++++++++++++++----------
 libexec/telnetd/telnetd.c  |   9 ++++-----
 3 files changed, 32 insertions(+), 16 deletions(-)

diffs (145 lines):

diff -r 4d1d7fb6e653 -r c6b4c30ccfda libexec/telnetd/defs.h
--- a/libexec/telnetd/defs.h    Sun Nov 19 20:11:12 2000 +0000
+++ b/libexec/telnetd/defs.h    Sun Nov 19 20:17:39 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: defs.h,v 1.7 1998/04/01 15:05:10 kleink Exp $  */
+/*     $NetBSD: defs.h,v 1.8 2000/11/19 20:17:39 christos Exp $        */
 
 /*
  * Copyright (c) 1989, 1993
@@ -298,3 +298,8 @@
 
 #define his_will_wont_is_changing      my_do_dont_is_changing
 #define his_do_dont_is_changing                my_will_wont_is_changing
+
+/*
+ * Initialization buffer for tty device [16 characters long]
+ */
+#define NULL16STR      "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
diff -r 4d1d7fb6e653 -r c6b4c30ccfda libexec/telnetd/sys_term.c
--- a/libexec/telnetd/sys_term.c        Sun Nov 19 20:11:12 2000 +0000
+++ b/libexec/telnetd/sys_term.c        Sun Nov 19 20:17:39 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sys_term.c,v 1.18 1999/12/31 12:42:35 tron Exp $       */
+/*     $NetBSD: sys_term.c,v 1.19 2000/11/19 20:17:39 christos Exp $   */
 
 /*
  * Copyright (c) 1989, 1993
@@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)sys_term.c 8.4+1 (Berkeley) 5/30/95";
 #else
-__RCSID("$NetBSD: sys_term.c,v 1.18 1999/12/31 12:42:35 tron Exp $");
+__RCSID("$NetBSD: sys_term.c,v 1.19 2000/11/19 20:17:39 christos Exp $");
 #endif
 #endif /* not lint */
 
@@ -482,13 +482,13 @@
  * Returns the file descriptor of the opened pty.
  */
 #ifndef        __GNUC__
-char *line = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = NULL16STR;
 #else
-static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+static char Xline[] = NULL16STR;
 char *line = Xline;
 #endif
 #ifdef CRAY
-char *myline = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *myline = NULL16STR;
 #endif /* CRAY */
 
 #ifdef OPENPTY_PTY
@@ -522,7 +522,7 @@
        if (p > 0) {
                grantpt(p);
                unlockpt(p);
-               strcpy(line, ptsname(p));
+               (void)strlcpy(line, ptsname(p), sizeof(NULL16STR));
                return(p);
        }
 
@@ -1601,7 +1601,7 @@
 #endif
 #ifdef SOLARIS
        char *term;
-       char termbuf[64];
+       char termnamebuf[64];
 #endif
 
 #ifdef UTMPX
@@ -1655,9 +1655,10 @@
                if (term == NULL || term[0] == 0) {
                        term = "-";
                } else {
-                       strcpy(termbuf, "TERM=");
-                       strncat(termbuf, term, sizeof(termbuf) - 6);
-                       term = termbuf;
+                       (void)strcpy(termnamebuf, "TERM=");
+                       (void)strlcpy(&termnamebuf[5], term,
+                           sizeof(termnamebuf) - 6);
+                       term = termnamebuf;
                }
                argv = addarg(argv, term);
 #endif
@@ -1893,6 +1894,17 @@
                if (strncmp(*cpp, "LD_", 3) &&
                    strncmp(*cpp, "_RLD_", 5) &&
                    strncmp(*cpp, "LIBPATH=", 8) &&
+                   strncmp(*cpp, "LOCALDOMAIN=", 12) &&
+                   strncmp(*cpp, "RES_OPTIONS=", 12) &&
+                   strncmp(*cpp, "TERMINFO=", 9) &&
+                   strncmp(*cpp, "TERMINFO_DIRS=", 14) &&
+                   /*
+                    * We dissallow TERMPATH and TERMCAP
+                    * entries that reference files.
+                    */
+                   strncmp(*cpp, "TERMPATH=", 9) &&
+                   strncmp(*cpp, "TERMCAP=/", 9) &&
+                   strncmp(*cpp, "ENV=", 4) &&
                    strncmp(*cpp, "IFS=", 4))
                        *cpp2++ = *cpp;
        }
diff -r 4d1d7fb6e653 -r c6b4c30ccfda libexec/telnetd/telnetd.c
--- a/libexec/telnetd/telnetd.c Sun Nov 19 20:11:12 2000 +0000
+++ b/libexec/telnetd/telnetd.c Sun Nov 19 20:17:39 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: telnetd.c,v 1.22 2000/08/18 03:25:52 itojun Exp $      */
+/*     $NetBSD: telnetd.c,v 1.23 2000/11/19 20:17:39 christos Exp $    */
 
 /*
  * Copyright (C) 1997 and 1998 WIDE Project.
@@ -69,7 +69,7 @@
 #if 0
 static char sccsid[] = "@(#)telnetd.c  8.4 (Berkeley) 5/30/95";
 #else
-__RCSID("$NetBSD: telnetd.c,v 1.22 2000/08/18 03:25:52 itojun Exp $");
+__RCSID("$NetBSD: telnetd.c,v 1.23 2000/11/19 20:17:39 christos Exp $");
 #endif
 #endif /* not lint */
 
@@ -922,13 +922,12 @@
 #else
        for (;;) {
                char *lp;
-               extern char *line;
 
                if ((lp = getpty()) == NULL)
                        fatal(net, "Out of ptys");
 
                if ((pty = open(lp, 2)) >= 0) {
-                       strcpy(line,lp);
+                       (void)strlcpy(line, lp, sizeof(NULL16STR));
                        line[5] = 't';
                        break;
                }
@@ -1239,7 +1238,7 @@
                IM = getstr("im", &cp);
                IF = getstr("if", &cp);
                if (HN && *HN)
-                       (void) strcpy(host_name, HN);
+                       (void)strlcpy(host_name, HN, sizeof(host_name));
                if (IM == 0)
                        IM = "";
        } else {